Merge pull request #49 from riccardobiraghi/issue36

Use template for TLS MQSC commands

cmd/runmqdevserver/tls.go

@@ -117,20 +117,24 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 		return err
 	}
 
-	f, err := os.OpenFile("/etc/mqm/20-dev-tls.mqsc", os.O_WRONLY|os.O_CREATE, 0770)
+	var sslCipherSpec string
+	if os.Getenv("MQ_DEV") == "true" {
+		sslCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256"
+	} else {
+		sslCipherSpec = ""
+	}
+
+	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
+	const mqscTemplate string = mqsc + ".tpl"
+
+	err = processTemplateFile(mqscTemplate, mqsc, map[string]string{
+		"SSLKeyR":          filepath.Join(dir, "key"),
+		"CertificateLabel": newLabel,
+		"SSLCipherSpec":    sslCipherSpec,
+	})
 	if err != nil {
 		return err
 	}
-	defer f.Close()
-	// Change the Queue Manager's Key Repository to point at the new TLS key store
-	fmt.Fprintf(f, "ALTER QMGR SSLKEYR('%s')\n", filepath.Join(dir, "key"))
-	fmt.Fprintf(f, "ALTER QMGR CERTLABL('%s')\n", newLabel)
-
-	if os.Getenv("MQ_DEV") == "true" {
-		// Alter the DEV channels to use TLS
-		fmt.Fprintln(f, "ALTER CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)")
-		fmt.Fprintln(f, "ALTER CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)")
-	}
 
 	err = configureWebTLS(cms)
 	if err != nil {

incubating/mqadvanced-server-dev/20-dev-tls.mqsc.tpl

@@ -0,0 +1,22 @@
+* © Copyright IBM Corporation 2018
+*
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+
+* Set the keystore location for the queue manager
+ALTER QMGR SSLKEYR('{{ .SSLKeyR }}')
+ALTER QMGR CERTLABL('{{ .CertificateLabel }}')
+
+* Set the cipherspec for dev channels
+ALTER CHANNEL('DEV.APP.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH({{ .SSLCipherSpec }}) SSLCAUTH(OPTIONAL)
+ALTER CHANNEL('DEV.ADMIN.SVRCONN') CHLTYPE(SVRCONN) SSLCIPH({{ .SSLCipherSpec }}) SSLCAUTH(OPTIONAL)

incubating/mqadvanced-server-dev/Dockerfile

@@ -49,10 +49,8 @@ RUN mkdir -p /run/runmqdevserver \
 
 COPY --from=builder /go/src/github.com/ibm-messaging/mq-container/runmqserver /usr/local/bin/
 COPY --from=builder /go/src/github.com/ibm-messaging/mq-container/runmqdevserver /usr/local/bin/
-# Copy template MQSC for default developer configuration
-COPY incubating/mqadvanced-server-dev/10-dev.mqsc.tpl /etc/mqm/
-# Copy template JSON for default web console configuration
-COPY incubating/mqadvanced-server-dev/admin.json.tpl /etc/mqm/
+# Copy template files
+COPY incubating/mqadvanced-server-dev/*.tpl /etc/mqm/
 # Copy web XML files for default developer configuration
 COPY incubating/mqadvanced-server-dev/web /etc/mqm/web
 RUN chmod +x /usr/local/bin/runmq*

test/docker/devconfig_test.go

@@ -78,7 +78,7 @@ func TestDevSecure(t *testing.T) {
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
-			tlsDir(t) + ":/var/tls",
+			tlsDir(t, false) + ":/var/tls",
 		},
 		// Assign a random port for the web server on the host
 		// TODO: Don't do this for all tests
@@ -98,7 +98,7 @@ func TestDevSecure(t *testing.T) {
 	defer cleanContainer(t, cli, ctr.ID)
 	startContainer(t, cli, ctr.ID)
 	waitForReady(t, cli, ctr.ID)
-	cert := filepath.Join(tlsDir(t), "server.crt")
+	cert := filepath.Join(tlsDir(t, true), "server.crt")
 	waitForWebReady(t, cli, ctr.ID, createTLSConfig(t, cert, tlsPassPhrase))
 	runJMSTests(t, cli, ctr.ID, true, "app", devAppPassword)
 	// Stop the container cleanly

test/docker/devconfig_test_util.go

@@ -73,11 +73,21 @@ func waitForWebReady(t *testing.T, cli *client.Client, ID string, tlsConfig *tls
 }
 
 // tlsDir returns the host directory where the test certificate(s) are located
-func tlsDir(t *testing.T) string {
+func tlsDir(t *testing.T, unixPath bool) string {
 	dir, err := os.Getwd()
 	if err != nil {
 		t.Fatal(err)
 	}
+	if isWSL(t) {
+		// Check if the cwd is a symlink
+		dir, err = filepath.EvalSymlinks(dir)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !unixPath {
+			dir = strings.Replace(dir, getWindowsRoot(true), getWindowsRoot(false), 1)
+		}
+	}
 	return filepath.Join(dir, "../tls")
 }
 
@@ -106,7 +116,7 @@ func runJMSTests(t *testing.T, cli *client.Client, ID string, tls bool, user, pa
 	hostConfig := container.HostConfig{
 		Binds: []string{
 			coverageBind(t),
-			tlsDir(t) + ":/var/tls",
+			tlsDir(t, false) + ":/var/tls",
 		},
 	}
 	networkingConfig := network.NetworkingConfig{}

test/docker/docker_api_test_util.go

@@ -85,27 +85,29 @@ func coverageBind(t *testing.T) string {
 // isWSL return whether we are running in the Windows Subsystem for Linux
 func isWSL(t *testing.T) bool {
 	if runtime.GOOS == "linux" {
-
 		uname, err := exec.Command("uname", "-r").Output()
 		if (err != nil) {
 			t.Fatal(err)
 		}
-
 		return strings.Contains(string(uname), "Microsoft")
-
 	} else {
 		return false
 	}
 }
 
+// getWindowsRoot get the path of the root directory on Windows, in UNIX or OS-specific style
+func getWindowsRoot(unixStylePath bool) string {
+	if unixStylePath {
+		return "/mnt/c/"
+	} else {
+		return "C:/"
+	}
+}
+
 // getTempDir get the path of the tmp directory, in UNIX or OS-specific style
 func getTempDir(t *testing.T, unixStylePath bool) string {
 	if isWSL(t) {
-		if unixStylePath {
-			return "/mnt/c/Temp/"
-		} else {
-			return "C:/Temp/"
-		}
+		return getWindowsRoot(unixStylePath) + "Temp/"
 	} else {
 		return "/tmp/"
 	}